编辑 2 - PHP 函数来清理和转义动态 MySQL 中使用的任何变量 - 我的代码
我需要 php 中的通用函数来正确清理和转义动态 MySQL 语句中使用的任何变量。例如,MySQL 很容易受到用户随机插入数据的影响。任何示例代码或链接都将受到高度赞赏。
编辑 1-我确实点击了下面发布的链接。我仍然觉得一个具体的例子会有帮助。工作中的要求是有一个如下所示的函数:
function MySQLClean($string){
// Contentns
return string;
}
我的问题是
- 这个函数应该为 mysql 转义哪些字符。我知道一些像
' ^等 - 应该删除哪些字符,即清理?。这应该是通用的而不是特定于数据库的。
- 我该如何测试它? - 是的,我在执行查询之前将构成查询的每个字符串传递给此函数,还是将整个查询传递给此函数,将它们拆分为标记,然后清除/转义标记化字符串中的每个字符并将其返回通过将其连接在一起。
“转义和清理”查询字符串之前和之后的示例将受到高度赞赏。
如果这个解释看起来模糊且不具体——那几乎概括了我对如何清理和验证数据的理解。不过,我很乐意提供任何进一步的细节。
编辑2 - 阅读了网上的一些材料并点击下面给出的答案中的链接后 - 我有以下功能
function MySQLClean($string)
{
if(get_magic_quotes_gpc()){
$string = stripslashes($string);
}
return addcslashes(mysql_real_escape_string($string),"%_");
}
这足够了吗?
I needed a generic function in php that will properly clean and escape any variable used in a Dynamic MySQL Statement. For example MySQL is vulnerable to random user - inserted data. Any sample code , or links are highly appreciated.
Edit 1- I did follow the links posted below. I still feel a concrete example would help.The requirement at work is to have a function which ma look like below:
function MySQLClean($string){
// Contentns
return string;
}
My questions are
- What characters should this function escape for mysql . I know a few like
' ^etc - What characters should be removed i.e cleaned ?. This should be generic rather than databsae specific.
- How do I test it ? - Do , I pass in each string that make up my query to this function before executing the query or do I pass in the entire query to this function , split them into tokens and then clean/escape each character in the tokenized string and return it by joining it together.
An example of a Before and After "Escaping and Cleaning" the query string will be highly appreciated.
If this explanation seems vague and unspecific - that pretty much sums up my understanding of how to clean and validate the data. I will however be glad to provide any further details.
Edit 2 - After reading some material on the net and following the link in the given below answers - I have the below following function
function MySQLClean($string)
{
if(get_magic_quotes_gpc()){
$string = stripslashes($string);
}
return addcslashes(mysql_real_escape_string($string),"%_");
}
Is this sufficient?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果您使用准备好的语句,您的数据将被清理并帮助防止 SQL 注入攻击。
If you use prepared statements, your data will be cleaned and help prevent SQL injection attacks.
http://www.php.net/manual/en /function.mysql-real-escape-string.php
http://www.php.net/manual/en/function.mysql-real-escape-string.php
好的,既然您已经编辑了您的问题并且我更好地理解了您想要做什么,那么让我这样说:
不要这样做!
您将遇到字符集的问题连接、不同的排序规则等。您可能会错过很多边缘情况,但仍然容易受到攻击。有关边缘情况的示例,请查看 Chris Shiflett 的博客Post...
如果您正在编写数据库抽象层并希望创建统一的接口,请在驱动层中调用数据库的转义方法。不要尝试编写自己的转义机制,因为它几乎不如内置的转义机制,并且也不会保持最新......
Ok, since you've edited your question and I better understand what you're trying to do, let me say this:
Don't Do It!
You will run into problems with the character set of the connection, differing collations, etc. There are a fair number of edge cases that you will likely miss and still be vulnerable with. For one example of an edge case, check out Chris Shiflett's Blog Post...
If you're writing a DB abstraction layer and want to create a uniform interface, call the database's escape method in the driver layer. Don't try to write your own escape mechanism since it will not be nearly as good as the in-built one, and will not be kept up to date as well either...